IT/OT Convergence and Cyber-Security

Today, I spoke at ComSpark as a part of a panel with Chris Nichols from LucidiaIT and David Cartmel from SMC. 

We talked extensively about convergence and the emerging threats stemming from the intertwined IT/OT world. 

If you missed it, check the ComSpark event page here. I believe they are making some of the content available via recording, though a signup might be required. 

Our virtual booth also had this excellent video around the topic. Check it out here.

Thanks and hit me up on Twitter (@lbhuston) and let me know your thoughts.

Tips For Recognizing a Phishing Email

Below are some common tips for helping to identify phishing emails at work or at home. The same rules apply.

Most Phishing Emails Originate at Common Domains

The first way to recognize a phishing email is that most originate from a public email domain.

There are few legitimate organizations that will send emails from an address that ends in @gmail.com, not even Google does this.

To check an organization’s name, type it into a search engine.Most of the time, organizations have their own email and company accounts and don’t need to use an @gmail.com address.

Check the Spelling of the Domain, Carefully!

There is another clue hidden in domain names that shows a strong indication of the scam.

Anyone can purchase a domain name from a website. There are many ways to create addresses that are easily confused with the official domain of a brand or company. The most common ways include slight mis-spellings of the domain name, or by changing one character to a number or letter that resembles the original. Be extra vigilant for these types of spoofing attempts.

Grammer and Spelling Counts

It’s often possible to tell if an email is a scam if it has poor spelling and grammar. Odd terminology or phrasing is also a clue. For example, your bank is unlikely to misspell the word checking or account, and they would not usually call an ATM machine a “cash machine”. These clues can be subtle, but often indicate that an email is not what it claims to be.

Beware of Potentially Malicious Links and Attachments

Sometimes, the wording in an email might be right, but the links send you to somewhere unexpected on the web. You can check this out in most clients and browsers by simply hovering the mouse cursor over the link without clicking on it. That’s an easy way to know where the link is taking you, and note that it might be somewhere other than what the links says it is.

You should always beware of attachments in emails. Everyone knows that malicious code and ransomware can be hiding in documents, spreadsheets and such, but they can also appear to be image files, presentations, PDFs and most types of documents. If you aren’t expecting the attachment, delete it!

Too Good To Be True

Lastly, if the offer is too good to be true, it probably is. Few people have won the lottery and been notified by email. Even less have been chosen for random gifts or to receive inheritance from Kings and Queens. Don’t be gullible, and remember, scammers are out there, and they want to trick you.

What to Do When You Spot a Phish

The first thing is to delete the email and attachments. If it is a work email, you should also notify the security team that you received it. They can investigate, as needed. In some firms, they may want you to forward it to a specific email address for the security team, but most security teams can recover the email information even if you delete it. Follow their instructions.

At home, just delete the email and tell your family and friends about it. The more folks are aware of what’s going around, the less likely there are to fall into the trap.

More Information

We’d love to discuss phishing attacks, emerging threats or common security controls for organizations. Reach out to info@microsolved.com or give us a call at 614-351-1237 for help.

Thanks for your attention, and until next time, stay safe out there.

 

 

IT Security and OT Security Converging

The term “information technology” (also known as “IT”) has been with us for more than 60 years now. It was first coined by Harold Leavitt and Thomas Whisler and published in an article in the Harvard Business Review in 1958 (long before the Internet was conceived of). It refers to all those pieces/parts that make up electronic information systems. The term “operational technology” (also known as “OT”) was first coined nearly half a century later in a research paper from Gartner in 2006. It refers to industrial control systems that are controllable from remote locations, especially those that are controllable over an Internet connection. It has spawned another new acronym: “IIoT” (“industrial internet of things”). For the security industry, these terms highlight one of the biggest security problems facing us today; securing industrial controls systems from remote attacks by cybercriminals and hostile nation states.

For most of the Information Age, such terms and considerations were not necessary. Industrial control systems were largely analog and not subject to remote attack. Even after the Internet had been well established, the security of industrial control systems was not seen as a big problem since there was little reward to be had by disrupting such systems to the average hacker. In recent years that has all changed. Industries from infrastructure (i.e. electric grids, pipelines, water systems) to the private sector (i.e. manufacturing, mining, cargo transport) have been, and continue to, embrace the Internet as a medium for controlling and communicating with their industrial controls systems. It increases efficiency and cuts cost for these concerns. It also allows them to decrease the number of personnel needed and to centralize control and monitoring of these systems. A great boon! Unfortunately, security was not well considered or implemented as these processes were put in place. As a result, industrial control systems are now among the easiest to compromise by Internet attack. On top of that, there is now an attack vector that is attracting your average cybercriminal motivated by greed to target industrial control systems: ransomware.

Ransomware allows attackers to make money from almost any business or institution, including industry and infrastructure. Modern ransomware attackers not only threaten to encrypt information and make it unavailable to legitimate users, they threaten to disrupt industrial control systems or reveal private information publicly. One example is the recent Colonial Pipeline debacle. Because of this, it is increasingly important for industrial concerns to solve their Internet security problems. This problem is finally being recognized by the U. S. Government at the highest level. President Biden has recently threatened reprisals for attacks against vital American infrastructure and manufacturing concerns.

In addition, the CISA has recently published a fact sheet detailing their recommendations for protecting these systems against ransomware attacks. These recommendations include:

  • Determining how much your critical OT systems rely on key IT infrastructure.
  • Planning for when you lose access to IT and/or OT environments.
  • Exercising your incident response plans, and testing manual controls if OT networks need to be taken offline.
  • Implementing regular data backup procedures for both OT and IT networks.
  • Requiring multi-factor authentication for both OT and IT networks, and
  • Segmenting IT and OT networks.

These are good suggestions and should be implemented ASAP. However, they are not a panacea. Nobody to date has come up with a true answer to the problem of cyberattacks against industrial control systems. Because of this it is important to remain flexible and to devote adequate resources for fighting this very thorny problem.

Time to Revise and Update Your Incident Response Program

The last couple of years has seen a truly disturbing increase in the sophistication and effectiveness of cyberattacks. It seems that private cybercriminal organizations and those of nation states are feeding off of, and even actively supporting each other; sharing techniques and malware. Attacks are coming fast and furious from various angles that are difficult to predict. If it isn’t attacks against vulnerabilities in the DNS system, it’s exploits of weaknesses in cloud containers, input-output systems, or some other technical problem. Added to that are the ever-present threats of phishing attacks, application compromises, zero-days and ransomware attacks. What’s coming next is anyone’s guess, but I doubt very much the situation is going to get better or easier to cope with. Despite these difficulties, though, this is not the time to throw up our hands in despair. This is the time to prepare as well as may be.

One factor that makes all of these cyber-woes worse for any organization is panic. When people are surprised and unprepared, they often either freeze up and do nothing, or they do the first thing that comes to their minds no matter how inappropriate. In other words, they panic. And the more important the attacked resource is, the greater the panic that ensues. The Military has had to deal with this situation since time immemorial, and they have come up with some effective methods of dealing with it. We would be well advised to take advantage of this hard-won knowledge and apply to our own incident response plans.

The first step is to construct a program that is adapted to dealing with both the expected and the unexpected. In order to deal with the expected, we need to be constantly updating our incident response procedures to include the new attack vectors being used by the “enemy.” An example of this would be supply chain attacks. Does your current IR plan have specific information about and processes for responding to a supply chain attack? Is there information about recognizing the characteristics of a supply chain attack and how to deal with it in a step-by-step format in the plan? How about ransomware? DNS poisoning attacks? I recommend that someone from the incident response team should keep informed about the latest attacks vectors and methods and ensure that the whole team is made aware of these emerging attacks. Any that pose credible threats to your organization should be dealt with. These matters should be researched and specific methods for reacting to them should be developed and practiced. The best way to document these processes are checklists and/or decision trees. The Military has found that clearly documented processes accompanied by repeated training is the surest way of avoiding panic and making right decisions under stressful conditions.

This leads me to methods for preparing your IR team for dealing with the unexpected. Again, I’ll take a cue from the Military. Dealing effectively and calmly with the unexpected in incident response is largely a matter of mindset. As they teach recruits in the Marines, you need to learn to adapt and overcome. The problem is, when you are at panic-level stress, it is exceedingly difficult to think calmly, rationally and logically. Training is the answer to this problem.

Personnel should understand the signs that they are heading towards panic and practice using their logical minds to help control their emotional responses. This is admittedly a difficult thing to do, and the only way I know of to go about it is to practice. IR training sessions should be conducted often, and part of that training should be aimed at preparing the team for handling stressful and unexpected situations. To accomplish this, I recommend unannounced incident response training sessions that the team has no idea are not real. If the team does not believe that the incident is really occurring, they will never become inured to the stress of the situation. They must learn on a visceral level that the worst thing one can do under stress is to surrender to unreason and panic. After all, a calm and rational human mind is the most effective tool and problem solver in the known universe.

 

Credential Stuffing a Thorny Problem

Every week I read about websites, companies or institutions that have had their authentication databases hacked revealing the email addresses, user names and passwords employed by their users. This happens so often that people have become inured and hardly give it a thought. But the rise in successful credential stuffing attacks shows that this is a dangerous attitude to take.

Credential stuffing is different than brute force and password spraying attacks. In a brute force attack, hackers try a large number of passwords against a specific user account hoping for a valid match. Similarly, password spraying attacks try a large number of passwords against a whole list of users hoping for the same result. In credential stuffing attacks, however, hackers try valid user name/password pairs that have been previously compromised against different services, websites or institutions.

In a perfect world, credential stuffing wouldn’t work. All of us would use a unique user name/password pair for access to each of our user accounts across the board. Unfortunately, the world and we who live in it, are far less than perfect. People almost always have a few passwords that they use for multiple accounts. And this is not merely laziness on the part of the user. It is because people become overwhelmed. Most of us have dozens if not hundreds of websites or services we need to access; some on a daily basis and some only irregularly. And we are supposed to memorize (and not write down) unique credentials for each one?! Add to that the fact that we are prompted to change many of these passwords at least several times a year and the mind boggles.

Fighting credential stuffing is difficult for people. One of the simpler methods is to use a password manager. These tools encrypt and record your passwords in a form that you can access easily. Some provide other services and even help generate new passwords. However, using a password manager adds another step to logging in and other overhead. Also, several password managers have themselves been compromised by hackers.

Multi-factor authentication is another tool that makes credential stuffing more difficult for the attacker. It is a great tool for protecting authentication and should be use by everyone in my opinion. However, there are ways around MFA as well so it is only an imperfect solution to the problem. CAPTCHA puzzles can be used to spot bots and ensure that a human is trying the credentials, but cybercriminals employ click farms to get around this mechanism.

Behavioral biometrics is one of the newer methods used to help spot and prevent credential stuffing attacks. These tools build up a picture of how individual users interact with their computers; a picture that can be as unique as a fingerprint. They also have the advantage of being invisible to the user and don’t require any action on the user’s part. Using these along with other anomaly detection tools seems like a good bet to me.

As always, I personally recommend using all three factors that can be used to identify an individual to an authentication system: something you know, something you have and something you are. Of course, this method too adds overhead and complexity to the user experience. Sigh! I think the person who comes up with an infallible method for identifying an individual to an electronic system would probably end up as rich as Bill Gates!

RTF Releases a Comprehensive Framework for Combating Ransomware

Ransomware is a modern-day offshoot of a crime that has plagued humanity for thousands of years: kidnapping for ransom. Cybercriminals simply replaced the theft of a human being with the theft of information. Both are precious, both are fragile and the destruction of either one will lead to the suffering of many. And to avoid such suffering, it is a long-proven fact that people will pay through the nose! The high probability of a payoff is the reason ransomware works.

Although ransomware has been around since at least 1989, the last few years have seen a real explosion in the problem. I have written several blogs about the growing problem of ransomware in the last year, and there is at least one group out there that is not only just as concerned about the problem as I am, they have done something about it.

The Ransomware Task Force (RTF) is an international group of more than 60 experts from organizations and disciplines that include governments, law enforcement agencies, computer security experts, researchers and academics that are backed by Microsoft, Amazon, the FBI and the UK’s National Crime Agency. Together, they have developed and recently released a considered and comprehensive framework for addressing the ransomware problem entitled Combating Ransomware. It is available for free download on the Internet.

One of the main posits of this group is that ransomware has moved past being a mere crime of financial extortion into the realm of a national security issue. Their reasoning behind this is that ransomware has “disproportionately impacted the healthcare industry during the COVID pandemic, and has shut down schools, hospitals, police stations, city governments, and U.S. military facilities. It is also a crime that funnels both private funds and tax dollars toward global criminal organizations.” I couldn’t agree more with view, especially in light of the more modern practice of exposing the “kidnapped” and deciphered information of the victims on public websites, sometime even after the ransom has been paid.

The framework begins with five high-level priority recommendations that include (paraphrased):

  1. Coordinating international diplomatic efforts to fight ransomware employing a comprehensive resourced strategy, including a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.
  2. The United States should lead the efforts by example. They should execute a sustained, whole government, intelligence driven anti-ransomware campaign coordinated by the White House.
  3. Governments should establish funds for fighting ransomware, and should require organization to consider alternatives before making payments.
  4. There should be a an internationally accepted framework to help organizations prepare for, respond to and recover from ransomware attacks.
  5. The cryptocurrency sector that enables ransomware crime should be more closely regulated.

Next, the framework dissects the ransomware problem, discussing history, threats/threat actors, impacts to society and business, cyber-insurance and ransomware, the role of cryptocurrency plays in the ransomware problem and more. This information gives the reader a broad picture of ransomware and its effects around the globe.

Next, the comprehensive framework for action is detailed. This framework is based on four basic goals:

  1. Deter ransomware attacks.
  2. Disrupt the ransomware business model.
  3. Help organizations prepare.
  4. Respond to ransomware attacks more effectively.

These basic goals are then divided into a series of objectives and action items (a total of 48 of these). The RTF Points out that these recommendations need to be wholly implemented to have any chance of being effective, and that the real challenge will come in the actual implementation of the framework. I agree with this assessment as well. Ransomware, indeed modern state-driven cybercrime in general cannot be addressed piecemeal; we all must work together in a coordinated fashion if we are ever to effectively address these ever-worsening problems.

New CISA and NIST Joint Document Helps Organization Understand and Defend Against Software Supply Chain Attacks

Although it was far from the first one, the software supply chain attack against SolarWinds was truly devastating. We are still suffering from related attacks, and no one yet knows what the full consequences of the compromise will be. Since the attack, organizations of all sorts have been scrambling to prepare themselves for similar attacks and to find ways to prevent them from affecting them. The good news for these organizations is that now there is new authoritative guidance just published to help them.

This month, the CISA and NIST released a joint paper entitled “Defending Against Software Supply Chain Attacks.” This document provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

The paper begins by explaining what the larger information and communications technology (ICT) supply chain framework is, how the software supply chain fits into it and what the six phases of the ICT Supply Chain Lifecycle are. They illustrate how vulnerabilities can creep into each phase of this life cycle and give examples of past compromises. They explain some particular reasons why software supply chain attacks are so attractive to cyber-criminals, who is most likely to be behind such attacks and some of the most common attack vectors used by these criminals.

One of the big points they make is how difficult it is for network defenders to quickly mitigate the consequences of a software supply chain attack after it has occurred. They emphasize that only by being prepared for software supply chain attacks before they occur can organizations hope to properly prevent and effectively respond to these attacks. They recommend that a formal C-SCRM approach should be employed across the organization, business and system tiers of the organization.

NIST includes a list of eight key practices for customers for establishing a C-SCRM approach which include:

  1. Integrate C-SCRM across the organization.
  2. Establish a formal C-SCRM program.
  3. Know and manage critical components and suppliers.
  1. Understand the organization’s supply chain.
  2. Closely collaborate with key suppliers.
  3. Include key suppliers in resilience and improvement activities.
  1. Assess and monitor throughout the supplier relationship.
  2. Plan for the full lifecycle.

The paper then goes into actions customers can take to prevent acquiring malicious or vulnerable software, actions customers can take to mitigate deployed malicious or vulnerable software and actions customers can take to increase resilience measures to help mitigate the impact of a successful attack. The paper then provides valuable recommendations for software vendors themselves to take in fighting this problem.

I highly recommend that organizations at risk from software supply chain attacks download this guidance and take it to heart. Only an organized, prepared and resilient information security program has any hope of helping organizations fight software supply chain attacks. Happily, instituting a proper infosec program such as described will also help you protect your organization from the other types of cyber-attacks that currently plague us.

Multi-Factor Authentication More Important Than Ever

Every week while I am reviewing the infosec news I read about more and bigger compromises of user account information. If users themselves are not falling for phishing attacks and entering their user name and passwords into bogus webpages, then their user name and passwords are being compromised when some company database gets hacked. The danger becomes much greater when we consider that most of us use just a few different passwords for all of our accounts. Savvy hackers could take advantage of this and clean you out before you even realized that your secrets had been compromised.

The easiest and most effective way that you personally can help protect yourself in this horrible online environment is to implement multi-factor authentication (MFA) for everything you access. This includes email, online banking, social media, online shopping and everything else that you can think of. And, believe me, I know what a pain it can be to always be hassling with MFA mechanisms! You often have to get a code from another device or carry a dongle with you. It takes time, and you keep having to do it over and over again. It gets old very quickly.

But wait! There are more problems involved than just the hassle of using MFA. Once you have implemented it, you also have to worry about being locked out of your account. Say for example you are trying to get a code to enter into your laptop but your phone is dead or out of range. You are left high and dry. Having at least two options for authentication can help you here.

Another thing to consider is the danger of using SMS for sending MFA authentication codes. The main weakness here is depending on the cell phone providers themselves. These providers are susceptible to the same weaknesses as the rest of us and are vulnerable to phishing, spoofing, malware and social engineering. Also, providers can be tricked into porting a phone number into a new device; a hack called SIM swapping.

There is a better alternative available in the form of authentication apps such as Google Authenticator. The advantage here is that to get a code, you are not relying on your carrier. The codes stay with the app, and hackers can’t get them even if they manage to move your number to a different phone.

Once again, you have to be careful that using MFA doesn’t cause you to be locked out of your own account. Google Authenticator provides you with a number of recovery codes when you first sign up that allow you to access your account if there is a problem. But these codes now need to be protected from hacker access. Make sure you have a good way to store these codes that hackers are not likely to be able to get at. If not, you have just lost all the security advantages you have just instituted.

Side Channel Attacks: Another Cyber-Danger to Worry About!

Governments, businesses, private organizations and people in general are doing more each year to address the dangers of cyberattacks. The big problem is, we are always playing catchup! Every time we address one vulnerability in cyber-systems, attackers come up with a fresh way to attack them. One of these vulnerabilities that is enjoying increased attention by the bad guys in recent years is side channel attacks.

In side channel attacks, attackers analyze signals or metadata or video or other kinds of emanations made by devices to deduce what users are typing or what their mouse movements are or what crypto key is being used or lots of other things. It is absolutely fascinating what can be learned by these techniques! In a recent example, a research team from Texas found that they could analyze video calls and deduce what people are typing by mapping their shoulder movements. If you were on a conference call, you might be able to use this technique to determine what people on the other end are chatting about while you talk. Quite a business advantage!

There are many types of side channel attacks, but a lot of them rely on the propensity of electromagnetic signals to propagate. People think that it is easy to stop an electromagnetic signal, but it really is not. Even though signals from keyboards, mice, power systems and the like might be very weak, they can be recovered and amplified easily if you are in the right position. Signals can also go through things like walls and windows, as evinced by cell phone signals.

IoT devices are among the juiciest vectors for side channel attacks. They almost all emit electromagnetic signals, they are connected to the Internet and they are often not properly isolated from internal computer networks. They also often use light weight cryptographic techniques and old, vulnerable operating systems. This makes these devices very tempting targets for cyber-criminals.

So how do we protect our networks and information from side channel attacks? There are many methods that can be employed. One method is stop or dampen electromagnetic signals emitted from the devices, such as by use of a Faraday cage or ultra-low power source. You can also make sure that your private and work areas are protected from peeping and eavesdropping. Another method is to use power line conditioning and filtering to help stop power-monitoring attacks. For cryptographic side channel attacks, you can blur the relationship between the information emitted and the secret data you are trying to protect. My personal advice is to keep yourself abreast of the new side channels and side channel attacks that are emerging and to react immediately and appropriately to protect yourself and your business.

Exchange Server Zero-Day Attack Sign of More to Come

Another sophisticated and widespread cyber attack just made the news last week. This attack, dubbed ProxyLogon, strings together four zero-day vulnerabilities in Microsoft Exchange Server that allow attackers to take over servers, compromise email and implant a web shell that gives them the ability to execute code on the servers from anywhere without authentication. Microsoft immediately released emergency patches for the identified vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

These attacks, initially attributed to the China-backed group Hafnium, were first noticed in early January and reported to Microsoft on March 2. It has since been determined that multiple advanced persistent threat groups have also been using this same exploit since about the same time of the Microsoft patch release (March 2), and that hundreds of thousands of servers around the world have already been attacked.

News of the attack caused immediate panic on multiple levels of government and industry. The CISA recommended immediately patching these issues or unplugging Exchange servers until they are patched. They also recommended that all possibly affected organizations should immediately take steps to determine if their systems have already been compromised. The word everyone is using here is “immediate.”

This Exchange Server attack surely does remind me of the way the devastating supply chain attacks we are still dealing with. Here we have highly enabled, state backed hacking groups systematically identifying cyber-vulnerabilities of every type, developing a group of exploits designed to take advantage of these vulnerabilities, identifying lots of fat targets to hit and then striking all of those targets at once. That is evidently the same thing that is happening with the Exchange Server attacks. And curiously, both these attacks and the supply chain attacks exploited flaws that had been present in the code for ten years or more. What’s more, if these Exchange Server attacks follow the same program, we can expect follow up exploits to be waiting in the eaves to further exploit the vulnerabilities and the panic they fomented.

What this tells me is that we are presently in the first stages of a global cyberwar whether we recognize it or not. So far, we are just taking the hit and scrambling around playing catch up while we try to figure out how to effectively address the problem. However, the enemy does not seem to be giving us time to sort things out. What would you like to bet that another, similarly devastating attack will hit us in no more than six months from now? I would put a nice chunk of change on that bet!

Another thing that these attacks show me is that we have gotten distributed network security wrong from the very beginning. The basic code that still lies at the very core of the Internet was never designed with security in mind and is basically flawed. We adopted it anyway and by the time security problems started to manifest themselves, it was too late; the paradigm was set. Going back and revamping it will prove to be impossible. You might as well try to get Americans to drive on the left side of the road, say “ahoy” instead of “hello” when answering the telephone and to use Metric measurements rather than Standard.

So how are we going to keep our riches and information safe from the Cyber Scourge? I certainly don’t have an answer that has any chance of actually being implemented. However, I would venture to guess that whatever solutions appear in the near future, they will probably be Draconian! Time for everyone to plan on expending a bigger chunk of their resources on cyber-security.